If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Missing Hosts File

I am managing a network with 7 PCs (XP) and a server (2003 SBS) on a domain. All are running eEye Blink AV. The issue is that on a single machine the hosts file disappeared a few months ago which was rebuilt. I went to block Lizamoon.com this weekend and noticed that another machine was missing its hosts file. My boss wants me to find out why this is happening. Both machines are scanned for malware regularly and none of the user accounts have rights to modify the file. I searched on Google and only found info on rebuilding the file, not reasons for it. Anyone out there come across this and the reason for it besides malware?

Just off the top of my head. As everyone knows, AV software is reactive. That is to say you have to get infected with malious software or a virus before your Antivirus Software will do it's job. For those of you who don't know. AV software does not prevent you from downloading a virus. Just prevents the thing from running.... Arggg long week.

Anyway, I don't know eEye but I'm sure you can set it to delete any file it cannot clean. Check your AV logs to see if it deleted the HOST file. And put super glue in the USB ports. (Nevermind)

Some malware, can also modify your hosts so that common sites go to their ad riddled and infected sites. Maybe eEye Blink AV doesn't trust that the changes you've put into your hosts file should be there?

I've never used that AV software before, so can't comment on what it does and doesn't do, but certainly is something to look into.

I know that some security products use the hosts file to redirect malicious sites to 127.0.0.1. Could it be a failed update of some sort......like the file is deleted before getting written back, and the write back fails?

I really have no idea how Windows itself handles the hosts file either.

I do find it strange that malware would want to delete the hosts file anyway......modify it perhaps, but not delete.......that seems a bit too obvious to me???

Yeah, the hosts file was actually not there. All the systems there have the same setup. This has happened on 2 of the 7. It is odd, and there isn't much information on the subject I can find. It's even more curious because the machines are on a Domain, and the users with the issue don't have access to the file.

I really have no idea how Windows itself handles the hosts file either.

wow. on the net long enough ... you're bound to see it all.... I poke, of course, but really you're that on most of the time..

So.. Hosts file ... operates like hosts on linux, the default for windows is to check the hosts file first then resolve via DNS ... any entry in the hosts file in windows that is setup with #PRE at the end of the line, causes windows to preload that entry

ie. 127.0.0.1 some.adserver.com #PRE

And agreed, that its odd the cracker/spammer/malware would delete the file, more likely to either wipe out the file and add its own redirections ...

So.. Hosts file ... operates like hosts on linux, the default for windows is to check the hosts file first then resolve via DNS ... any entry in the hosts file in windows that is setup with #PRE at the end of the line, causes windows to preload that entry

That's pretty much what I suspected. I know Windows doesn't need a hosts file, and from what you are saying I would conclude that all it does is read the file if there is one present. So I guess we can rule out any sort of Windows corruption.

Hosts is just a simple text file without the .txt extension so the question is how are you editing it or updating it. With Notepad I would just expect the file to be overwritten on save. Whilst that might be a problem, I would expect you to be left with a corrupt file, as opposed to no file at all?

If you are using some other software, it may well delete the existing file and then write the new one. That could explain why it has gone missing? You might run a file recovery program to check for a deleted hosts file?

If the file name/header have been corrupted then it may well be there, but you can't find it. You might try searching for a few known strings in the file?

One thing I would do is run the manufacturer's diagnostics on the hard drives in the two machines in question. A dying hard drive is often the cause of files getting corrupted or disappearing.

I would suggest that whenever you edit the hosts file on a machine you check that the file is there afterwards. That could tell you if there is a problem with the editing/updating process?

Do you have a clean stable electrical supply...........no neon lights on the same circuit?............power blips can have strange effects when you are updating stuff.